WHAT IS CLAIMED IS: 



1 1. A communications method for use in a system including comprising a first, second and 

2 third nodes, and a first secret, said first secret being shared between the first and second nodes to 

3 secure communications between said first and second nodes, the method comprising: 

4 operating the first node to establish a secure communications session with said second 

5 node using the first shared secret to secure the contents of packets conununicated from the first 

6 node that are directed to the second node as part of the secure communications session; 

7 operating a third node which is coupled to said first and second nodes to maintain in 

8 memory a copy of said first shared secret; and 

9 operating the third node to receive a secure flow of packets from the first node that are 
10 directed to said second node as part of the secure communications session. 

1 2. The method of claim 1, further comprising: 

2 operating the third node to receive from said second node the first shared secret and to 

3 store the first shared secret in memory, said received first shared secret being encrypted using a 

4 second shared secret known to the second and third nodes. 



1 3. The method of claim 2, further comprising: 

2 operating said third node to receive and process packets sent from said first node as part 

3 of said established communications session, said third node sending a message to the first node 

4 indicating successful receipt of packets by said second node. 

1 4. The method of claim 3, wherein said third node uses said first shared secret to secure the 

2 message to the first node. 

1 5. The method of claim 5, wherein said third node operates as an application proxy for said 

2 second node during said secure communications session without informing said first node that 

3 the third node is acting as a proxy in the place of said second node. 
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The method of claim 5, further comprising: 
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2 operating the third node to transmit information obtained from said communications 

3 session while said third node was acting as a proxy for said second node to said second node; 

4 and 

5 operating the second node to continue the secure communications session with the first 

6 node. 

1 7. The method of claim 1, further comprising: 

2 operating the third node to inspect the secure packet flow from the first node, said step of 

3 inspecting said secure packet flow including performing at least one of a group of security steps 

4 which use the first shared secret, said group of security steps comprising: decrypting a packet, 

5 integrity checking contents of a packet, and authenticating a sender of a packet. 

1 8. The method of claim 7, further comprising: 

2 operating the third node to drop the packet from the packet flow if the performed at least 

3 one of the group of security checks fails. 

1 9. The method of claim 7, further comprising: 

2 operating the third node to additionally process the packets from the packet flow if no 

3 performed security check in said group of security checks fails. 

1 10. The method of claim 9, further comprising: 

2 operating the third node to identify a packet with a disallowed packet payload by 

3 comparing at least a portion of the payload of each packet in the packet flow to information 

4 indicating allowed packet payloads, payloads of a type which are not indicated by said 

5 information being disallowed packet payloads. 

1 11. The method of claim 10, further comprising: 

2 operating the third node to drop an identified packet with a disallowed packet payload. 

1 12. The method of claim 10, further comprising: 

2 operating the third node to modify the packet payload of packets identified to include a 

3 disallowed packet payload based on stored information indicating payload modifications to be 

4 made to disallowed packet payloads. 
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1 13. The method of claim 12, wherein the modified payload generated by modifying a packet 

2 payload includes a message indicating that an erroneous payload was detected at the third node. 

1 14. The method of claim 10, further comprising: 

2 operating the third node to process at least two packets in the packet flow to produce at 

3 least a third packet. 

1 15. The method of claim 9, further comprising; 

2 operating the third node to generate an additional packet flow from the received packet 

3 flow directed to the second node and to forward the additional packet flow to the second node, 

4 packets in said additional packet flow having a source address corresponding to the first node 

5 and a destination address corresponding to the second node, said step of generating an additional 

6 packet flow including at least one of a group of security steps which use the first shared secret, 

7 the group of security steps consisting of: encrypting a packet, adding an integrity check for the 

8 contents of the packet, and adding an authenticator check for the packet sender. 

1 16. The method of claim 1 , wherein the second and third nodes each include a second secret 

2 used to secure communications between the third node and the second node, the method further 

3 comprising: 

4 operating the third node to generate an additional packet flow from the received packet 

5 flow directed to the second node and to forward the additional packet flow to the second node, 

6 packets in said additional packet flow having a source address corresponding to the third node 

7 and a destination address corresponding to the second node, said step of generating an additional 

8 packet flow including at least one of a group of security steps which use the second shared 

9 secret, the group of security steps consisting of: encrypting a packet, adding an integrity check 
10 for the contents of the packet, and adding an authenticator check for the packet sender. 

1 17. The method of claim 16, further comprising: 

2 operating the second node to communicate the first shared secret to the third node, the 

3 first shared secret being encrypted using the second shared secret. 

1 18. The method of claim 17, further comprising: 
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2 mutually authenticating the second and third nodes prior to the second node transmitting 

3 the first shared secret to the third node. 

1 19. A communications system, comprising: 

2 a first node including a first shared secret and a communications application for 

3 establishing a secure communications session using said first shared secret to secure packets 

4 conmiunicated as part of said secure communications session; 

5 a mobile node including said first shared secret, a second shared secret, and at least one 

6 communications application for maintaining a secure conmiunications session with said first 

7 node using said first shared secret; 

8 an intermediate node, coupled to said first node and said mobile node, said intermediate 

9 node including said first shared secret and said second shared secret, said intermediate node 

10 including: 

1 1 means for processing packets directed by said first node towards said mobile 

12 node as part of a secure communications session using said first shared secret; and 

13 means for sending a message to said first node secured by said first shared secret 

14 indicating successful receipt of said packets by said mobile node. 

1 20. The communication system of claim 19, wherein said intermediate node further includes: 

2 means for communicating information generated by processing packets directed to said 

3 mobile node to said mobile node in packets secured using said second shared secret, said 

4 information being the result of application processing performed on the payload of at least two 

5 data packets to generate information not present in either of the two data packets. 

1 21. The communication system of claim 20, wherein the mobile node includes means for 

2 sending said first shared secret to said intermediate node in an encrypted format resulting 

3 encryption processing using said second shared secret. 



